Visualizing Azure Sentinel Billable Data by Solution and Data Type

We make it easy to quickly monitor data consumption for Azure Sentinel in the Settings blade in the console. Monitor data ingestion and retention But, for those cost-conscious individuals who need more, here's a couple valuable KQL queries to better visualize data consumption. Billable data volume by data type Usage | where TimeGenerated > ago(32d) … Continue reading Visualizing Azure Sentinel Billable Data by Solution and Data Type

Locate all the Preview Goodies in Your Azure Sentinel Console

There's Preview items and Private Preview items (if you've joined the Private Preview program) in your Azure Sentinel console. You come across one or two periodically, but how do you locate all of them at once? Pretty simple to do, but often overlooked. In the Data Connectors, Analytics, or Hunting blades, just enter 'preview' in … Continue reading Locate all the Preview Goodies in Your Azure Sentinel Console

Intune DeviceType Reference for Azure Sentinel KQL

As you start to connect your Intune/Endpoint Manager logs to Azure Sentinel, you may see right away that there's a DeviceType column exposed that looks valuable but the results show ID numbers instead of just device names. This DeviceType column is directly related to the DeviceTypeID for Intune device entities. As an example, the following … Continue reading Intune DeviceType Reference for Azure Sentinel KQL

MITRE ATTACK Framework Reference for Azure Sentinel

The MITRE ATT&CK framework is utilized within Azure Sentinel to help classify threats to the organization and to provide quicker understanding of the level where intrusion exists. You'll see this brandished as a timeline at the top of the Hunting blade in Azure Sentinel as follows in the next image: MITRE ATT&CK Framework in the … Continue reading MITRE ATTACK Framework Reference for Azure Sentinel

Digging Deeper into Intune and Azure Sentinel

Last week I finally found some time to start digging into managing security for Intune-enrolled devices with Azure Sentinel. Obviously, the first thing that had to be done was to connect Intune data to Azure Sentinel. Read about how to do that here: Connecting Intune to Azure Sentinel. The next step was to ensure that … Continue reading Digging Deeper into Intune and Azure Sentinel

Azure Sentinel Rare Occurrences Incidents Generated After Setup

One of the official Microsoft offerings I deliver to customers includes a Day 1 setup of Azure Sentinel - which then leads into a 3-day workshop. But, that Day 1 setup is important so we have the customer's real data to work with the rest of the week and the customer has data to continue … Continue reading Azure Sentinel Rare Occurrences Incidents Generated After Setup

New Private Preview Tag in Azure Sentinel

Part of the Private Preview program for Azure Sentinel and get confused by which previews you're testing? We've added a new feature to the News & Guides blade to help minimize the confusion and also provide links to each preview's documentation and participation requirements. Directly in the Azure Sentinel console, go to the News & … Continue reading New Private Preview Tag in Azure Sentinel

Shortcut Way to Enable Azure Sentinel Analytics Rules

One of the things we're not quite clear about in our documentation is that enabling Analytics Rules is part of the overall setup of Azure Sentinel. I can't count the number of times I have worked with customers who have stood-up Azure Sentinel and enabled the Data Connectors they want, but then are left scratching … Continue reading Shortcut Way to Enable Azure Sentinel Analytics Rules

Sharing Workbook Data Outside Azure Sentinel with Non-analysts

Customers ask quite often how they can share their Workbooks with others outside of Azure Sentinel, i.e., give access to the valuable visualizations/reports to those that don't need full Azure Sentinel access. The solution is actually much easier than it might seem and involves a very simple method of using the pinning features of Workbooks … Continue reading Sharing Workbook Data Outside Azure Sentinel with Non-analysts